The task seem straightforward - configure a zone-pair from source vlan123 to destination vlan34 and then inspect ICMP and HTTP.

The answer shows that the class-maps call ACLs for ICMP and HTTP. I do not understand why that is necessary if we can just "match protocol" in the class-map.

I get that we need to map port 21 to HTTP with an ACL specifying R4's loopback.

also, the answer shows TWO zone-pairs, one for each direction, but the task does not say to do that, so I dont understand why it is necessary. what is the point of the inspection policy if there is a zone-pair required in both directions just to let a ping go from R1 to R4 and back? Isnt the zone-pair supposed to be a stateful inspection?